Is the iPhone Vulnerable to SMS Spoofing and Hacks? Yes, but Don't Blame your Wireless Carrier

By Tony Rizzo August 24, 2012

On August 17 last week, a researcher on the pod2g blog posted a missive claim that the blog writer had discovered a vulnerability within the iPhone's SMS software that, if properly exploited, would allow a phisher or other hacker to be able to gain the trust of a mobile user, by allowing one to spoof who the sender of a text message might be, potentially leading up to further and potentially harmful mischief.

Following the disclosure, various wireless carriers found themselves being blamed for the security hole.

It turns out, however, that no matter how much you may want to blame your carrier for your iPhone's security vulnerability, the truth is there’s only Apple to blame.

The vulnerability itself is both technical in nature, but also exceptionally easy to understand. The SMS protocol provides for an optional "Reply-Address" field, which a knowledgeable person could use to indicate a message was coming from someplace other than where it originated. That is, it could show a message as coming from a "trusted" source (e.g. a phone number or name) although the message was coming from a malicious source.

Why provide such a capability in the first place?

“Historically, the ‘reply-address’ field was introduced to allow users to reply to texts which were ‘broadcast’ from information agencies or marketing firms, for example. These broadcast systems may not be capable of receiving messages, so this system allows for more interaction,” said Cathal McDaid, Security Consultant at AdaptiveMobile.

When not used in this manner, the SMS protocol is very explicit about how the “feature” needs to be treated. The issue that pod2g identified is that an iPhone will display the reply-address as the sending address within the iPhone SMS client, and does not show the real “originating-address.”

“We know conclusively that this is not a wireless carrier network problem because the 3GPP specification – which outlines how modern mobile phones and networks operate today – discusses the security implications of this field in all phones and give recommendations on how to avoid malicious use of this,” continued McDaid. “We have tested this issue on Android, Windows Mobile, BlackBerry and Symbian phones and most of them simply ignore the ‘reply-address’ field or display both the ‘real’ originating address and the reply address - which is what the specification recommendations."

"The use of the Reply-Address is exceptionally rare in mobile networks now," McDaid added. "It is not used due to the fact that it's not supported by many devices and the original scenario that it was addressing never really materialized – it is one of the many extended SMS function fields that didn't get much traction. The simple answer to the problem then is to simply ignore the reply-address field altogether."

And this is exactly what almost all other device manufacturers do. The iPhone, almost as if by magic, is the only smart mobile device that doesn't ignore it, and that simultaneously uses SMS software that does not comply with the SMS protocol security recommendations. Apple is well aware of the issue and the security weakness, but for reasons only Apple is aware of, the company has not provided any stated intention of fixing the rather simple to fix problem.

Apple has suggested using its iMessage service instead to circumvent the problem. That is an interesting approach for Apple to take, but even with Apple extremists there will be times when an iPhone user may want to communicate with someone other than another iPhone user – it's been known to happen.

Of course, Apple will play the contrarian any time it can, but even so, we can't quite figure out why it is the lone agent here supporting a defunct SMS feature that presents a security hole if improperly handled (and Apple handles it improperly).

For those of you waiting to upgrade to iOS6, it won't fix the problem. The beta 4 version of iOS 6 that will likely become the shipping version in a few weeks still has the problem. There is no Apple magic on this particular issue.

Edited by Braden Becker

TechZone360 Senior Editor

Related Articles

Consumer Privacy in the Digital Era: Three Trends to Watch

By: Special Guest    1/18/2018

Digital advertising has exploded in recent years, with the latest eMarketer data forecasting $83 billion in revenue this year and continued growth on …

Read More

CES 2018: Terabit Fiber - Closer Than We Think

By: Doug Mohney    1/17/2018

One of the biggest challenges for 5G and last mile 10 Gig deployments is not raw data speeds, but middle mile and core networks. The wireless industry…

Read More

10 Benefits of Drone-Based Asset Inspections

By: Frank Segarra    1/15/2018

Although a new and emerging technology, (which is still evolving), in early 2018, most companies are not aware of the possible benefits they can achie…

Read More

VR Could Change Entertainment Forever

By: Special Guest    1/11/2018

VR could change everything from how we play video games to how we interact with our friends and family. VR has the power to change how we consume all …

Read More

Making Connections - The Value of Data Correlation

By: Special Guest    1/5/2018

The app economy is upon us, and businesses of all stripes are moving to address it. In this age of digital transformation, businesses rely on applicat…

Read More